1. Field of the Invention
The present invention relates to communication devices which authenticate each other using encryption before performing data communication.
2. Description of the Prior Art
When performing data communication, there are many instances when it is necessary to take protective measures against unauthorized copying or alteration of data.
In the example shown in FIG. 1, this relates to the optical disc reproduction device 10 reading a title such as a movie from the optical disc 13 and distributing a copy of the title via the network 11 to only the authorized movie reproduction device 12, at the same time preventing eavesdropping by unauthorized movie reproduction device 14.
Secret communication where two-way authentication is performed in "Challenge Response" format provides one method where data communication is restricted to the supply of data from communication devices which have the authority to distribute data (hereinafter referred to as supplier devices) to communication devices which are authorized to receive the data (hereinafter referred to as authorized user devices), with other communication devices being excluded from the communication. The procedure for this kind of communication can be broadly divided into the following two steps.
1. Authentication Step
Before executing data communication, both devices verify that the device with which they are in contact is an authorized device. This is performed to prevent unauthorized communication devices from becoming an authorized supplier device or an authorized user device.
This confirmation is performed using encryption and consists of three main procedures. First, a first device transmits challenge data to the second device. The second device then proves its authorization for this challenge data and replies using response data. Finally, the first device verifies this response data.
2. Secret Communication Step
Secret communication of the object data is only performed when the authentication has been achieved in the previous step. This is to prevent eavesdropping during data transfer by third communication device. An example of a conventional technique for performing secret communication with two-way authentication performed in "Challenge Response"format is a communication system standardized using International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 97892-2.
FIG. 2 shows the communication sequence performed when an authorized supplier device 15 transmits a copy of a title in its possession to an authorized user device according to the above conventional technique. Here, steps S21 to S33 in the drawing correspond to the authentication step described above, with steps S34 to S36 corresponding to the aforementioned secret communication step. Each of those steps in the drawing are described in more detail below.
Steps S21, S22
First, the authorized supplier device 15 generates a random number R1 and transmits it to the authorized user device 16 as challenge data CHA1.
Steps S23, S24
On receiving the challenge data CHA1, the authorized user device 16 generates a random number R2 as challenge date for the supplier device 15, and links these two as the data CHA1.parallel.R2. It then sets this linked data (CHA1.parallel.R2) as plaintext and performs a first encryption E.sub.1 according to the first encryption algorithm using an authentication key K1, which is provided beforehand only to authorized devices, as the encryption key. It then sends the resulting cryptogram E.sub.1 (K1, CHA1.parallel.R2) to the supplier device 15.
It should be noted here that this cryptogram RESCHA is both the response data in reply to the challenge data CHA1 sent from the supplier device 15 and the challenge data for the supplier device 15.
Step S25
On receiving this date RESCHA, the supplier device 15 sets it as a cryptogram and performs the first decryption D.sub.1 according to the first encryption algorithm, using the authentication key K1, which is provided beforehand only to authorized devices, as the decryption key.
It should be noted here that the decryption D.sub.1 is a reversal of the process in the encryption E.sub.1 according to the first encryption algorithm.
Step S26
Next, the supplier device 15 performs a reversal of the process in step S23 for the result X1 of the decryption D.sub.1, which is to say it performs separation to obtain separated data RR1 which corresponds to challenge data CHA1 and separated data RR2 which corresponds to random number R2.
Step S27
The supplier device 15 then compares the separated data RR1 with the random number R1 generated in step S22.
If, as a result, the numbers coincide, the supplier device 15 verifies that user device 16 is authorized. This is based on the observation that both devices are in possession of the authentication key K1 which is only known by authorized devices.
If, on the other hand, the numbers do not coincide, the supplier device 15 regards the user device 16 as not authorized and cancels the remaining processes.
Steps S26, S29
The supplier device 15, having authenticated the device with which it is in communication in the above steps, next moves onto generating a new random number K for use during secret communication and links this to separated data RR2. It then sets this linked data (RR2.parallel.K) as plaintext end performs a first encryption E.sub.1 according to a first encryption algorithm using a second authentication key K2, which is provided beforehand only to authorized devices, as the encryption key. It then sends the resulting cryptogram E.sub.1 (K2, RR2.parallel.K) to the user device 16.
It should be noted here that this cryptogram (RES2) serves as both the response data in reply to the challenge data RESCHA sent from the user device 16 and as the distribution of the shared key K for secret communication.
Step S30
On receiving this data RES2, the user device 16 sets it as a cryptogram and performs a decryption D.sub.1 according to the first encryption algorithm using the second authentication key K.sub.2 provided beforehand as the decryption key.
Step S31
Next, the user device 16 performs a reversal of the process in step S28 for the result X2 of the decryption D.sub.1, which is to say it performs separation to obtain separated data RRR2 which corresponds to response data RR2 and separated data KK which corresponds to random number K.
Step S32
The user device 16 then compares the separated data RRR2 with the random number R2 generated in step S24.
If, as a result, the numbers coincide, the user device 16 confirms that supplier device 15 is authorized. This is based on the observation that both devices are in possession of the authentication key K2 which is only known by authorized devices. It should be noted here that when the separated data RRR2 and the random number coincide, the separated data KK will be equal to random number K.
If, on the other hand, the numbers do not coincide, the user device 16 regards the supplier device 15 as not authorized and cancels the remaining processes.
Step S33
On authenticating the supplier device 15 in the step given above, the user device 16 informs the supplier device 15 of this verification.
By doing so, the two-way authentication is positively completed at the same time as the provision of the shared key K for the following secret communication is completed.
Steps S34, S35
The supplier device 15 then sets a copy of the title as plaintext and performs encryption E.sub.2 according to a second encryption algorithm using the shared key K as the encryption key, before transferring the encrypted title to user device 16.
Step S36
On receiving the encrypted title, the user device 16 sets it as a cryptogram and performs decryption D.sub.2 according to the second encryption algorithm using the shared key K as the decryption key.
It should be noted here that the decryption D.sub.2 is a reversal of the process in the encryption E.sub.2 according to the second encryption algorithm.
By means of the above procedure, a copy of the title in the possession of the: authorized supplier device 15 can be distributed to the authorized user device 16, with eavesdropping by a third communication device during distribution being prevented.
However, there are the following drawbacks with the verification method described above.
(1) In order to perform two-way verification, both devices require large-scale logic circuits which prevent reductions in the size of the equipment.
In general, a more complex and hence more secure encryption algorithm is used in the authentication step than in the Secret communication step. Here, a title comprises a huge amount of data, so that while from the viewpoint of transfer time it is necessary to perform the encryption and decryption of the title in a short time, only a negligible amount of date is used by the challenge data and response data in comparison to the title data, so that there are no effective restrictions on the amount of data used. Moreover, it is more important that a complex encryption algorithm of high security be used in the authentication step in order to improve the overall security of data communication.
Here, in order to execute the authentication step, both devices need to be equipped with an encrypter for executing encryption E.sub.1 and a decrypter for executing decryption D.sub.1.
If it is supposed here that each of the encrypter and the decrypter is composed of a logic circuit which includes ten thousand gates, both devices will need to include logic circuits which include over twenty thousand gates in order execute two-way authentication. This makes the realization of compact, low-cost optical disc reproduction devices and image reproduction devices problematic.
(2) The secret management necessary for maintaining the security of two-way authentication is very difficult.
In order to maintain the security of two-way authentication, the encryption algorithm. In order to do so, it is necessary to provide an encrypter and a decrypter only to the authorized supplier device 15 and the authorized user device 16.
Here, for the aforementioned authentication method, the encrypter and the decrypter provided in the supplier device 15 are the same as those which are be provided in the user device 16. As a result, should an unauthorized communication device succeed in acquiring the encrypter and the decrypter provided in a supplier device 15, this unauthorized communication device can then be easily used as either a supplier device 15 or a user device 16. In the same way, should it succeed in acquiring the encrypter and the decrypter provided in a user device 16, this unauthorized communication device can then be easily used as either a user device 16 or a supplier device 15. This means that in order to maintain the security of two-way authentication, it is necessary for the encrypter and decrypter in both the supplier device 15 and the user device 16 to be protected at a same high level of security.
However, since there are generally far greater number of title users than title distributors, it is difficult to maintain complete security for the encrypters and decrypters used by all of the user devices 16. As a result, it is easy for unauthorized users to improperly obtain copies of titles or to improperly distribute them.
As one example, suppose "authorization" is set as "conforming to an established standard for optical discs". If in this case, the encrypter and the decrypter are supplied not only to the company which manufactures an optical disc reproduction device which conforms to this standard but also to a large number of companies which manufacture image reproduction devices which conform to the standard. Since it is necessary here to maintain the secrecy of the systems, such secrecy management is highly problematic.